Monday, July 10, 2006

A New Danger on the Internet Rootkits

There is a new buzz word on the Internet these days called “rootkit.” Rootkits are a new form of malware. They are difficult to detect and harder to remove. They pose a greater danger than your typical viruses and spyware. What makes them unique is their ability to hide themselves from antivirus and anti-spyware scanners. They accomplish this by hiding in a system’s processes. They are invisible to the task manager. Once installed, they are notoriously difficult to remove (1). Oftentimes, rootkits are used in conjunction with Trojans. Rootkits hides the presence of Trojans, allowing them to record keystrokes, harvest passwords and etc..

The most notorious of rootkits wasn’t developed by criminals but instead by Sony BMG. Sony distributed several music CDs with their rootkit. The rootkit was part of Sony’s antipiracy campaign. It came to light when a customer, who also happened to be a security software analyst, detected some odd activity on his home computer (2). After thoroughly searching his PC, he found some hidden files. Eventually, it became clear that the hidden files were installed by the music CDs he had played on his PC. What came next was a PR nightmare for Sony. Customers were outrage at Sony’s underhanded campaign to distribute their rootkit. Irrespective of their intent, customers demanded Sony music CDs be removed from the shelves. In addition, Sony was forced to release a patch to remove the rootkit. Unfortunately, the patch was worse than the rootkit. To make matters worse, once it became known that several computers had Sony’s rootkit installed; hackers developed their own malware to exploit the rootkit in order to hide their own malware. Thankfully, security software vendors are developing ways to detect and remove rootkits (3).

Some of the biggest vendors are testing beta versions of their antirootkit scanners, including F-Secure’s Blacklight, BitDefender’s UnCover, Microsoft’s Windows Defender and Sysinternal’s Rootkit Revealer. All these beta versions are available for testing. Important, Windows Defender is available only to Windows user’s that have a genuine license copy of Windows.